Eric Johnson is an instructor with the SANS Institute for DEV544: Secure Coding in .NET: Developing Defensible Applications, and an information security engineer at a financial institution, where he is responsible for secure code review assessments of Internet facing web applications. Eric has spent nine years working in software development with over five years focusing on ASP .NET web application security. His experience includes software development, secure code review, risk assessment, static source code analysis, and security research. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University. He currently holds the CISSP and GSSP-.NET certifications and is located in Las Vegas, NV.
The .NET 4.0 & 4.5 frameworks introduced new syntax shortcuts to HTML encode dynamic content being rendered to the browser. These shortcuts provide an easy way to protect against Cross-Site Scripting (XSS) attacks in the newer versions of the .NET framework.
All Frameworks - Vulnerable Code Example
First, let's review the two vulnerable instances of XSS in all versions of the .NET framework shown in the code snippet below. The first exploitable instance on line 1 is writing the dynamic server side variable, ProductType, to the browser without HTML encoding. The second exploitable instance on line 7 is writing the dynamic server side variable, Name, to the browser during the data binding of the products grid view. If an attacker had the ability to edit these fields, then a malicious value, such as <script>alert(document.cookie);</script>, could be used to inject content into the page.
<h1><%= ProductType %></h1> <asp:gridview id="gvProducts" runat="server" autogeneratecolumns="false" itemtype="Data.Product"> <columns> <asp:templatefield headertext="Name"> <itemtemplate> <%# Item.Name %> </itemtemplate> </asp:templatefield> </columns> </asp:gridview>
.NET 3.5 - Secure Code Example
Next, let's review how these instances would be mitigated in .NET 3.5 (as well as any version prior to .NET 3.5). In earlier version of the framework, both exploitable instances would be modified to HTML encode the dynamic server side variables using the Microsoft Web Protection Library (formerly known as the AntiXSS library). If an attacker supplied the same malicious content described above in the vulnerable code example, then the HTML encoded value, <script>alert(document.cookie);</script>, would not break out of the HTML context and execute in the browser.
<h1><%= Microsoft.Security.Application.Encoder.HtmlEncode(ProductType) %></h1> <asp:gridview id="gvProducts" runat="server" autogeneratecolumns="false" itemtype="Data.Product"> <columns> <asp:templatefield headertext="Name"> <itemtemplate> <%# Microsoft.Security.Application.Encoder.HtmlEncode(Item.Name) %> </itemtemplate> </asp:templatefield> </columns> </asp:gridview>
.NET 4.5 - Secure Code Example
Finally, let's review how these instances would be mitigated in .NET 4.5 using the HTML encoding shortcuts provided by the framework. The instance on line 1 uses the HTML encode rendering shortcut (<%: %>) to HTML encode the dynamic ProductType value. The instance on line 7 uses the HTML encode binding shortcut (<%#: %>) to HTML encode the dynamic Name value being bound by the grid view.
<h1><%: ProductType %></h1> <asp:GridView ID="gvProducts" runat="server" AutoGenerateColumns="false" ItemType="Data.Product"> <columns> <asp:templatefield headertext="Name"> <itemtemplate> <%#: Item.Name %> </itemtemplate> </asp:templatefield> </columns>
Default Encoding Library
Developers can further increase the strength of their default encoding library by overriding the default encoder to use the AntiXSS Library built into the .NET 4.5 framework.
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
Summary
The HTML rendering shortcut (<%: %>) and binding shortcut (<%#: %>) provide a quick and simple way for developers to protect their web applications from XSS attacks when writing dynamic data to HTML contexts.
However, it should be noted that these shortcuts only provide XSS protection within a HTML context. Dynamic data being written to HTML attribute, JavaScript, CSS, and other contexts will each require the specific encoding algorithm provided in the AntiXss Library.
